Embodiments of the invention relate generally to systems and techniques for analyzing computer code, and more particularly, to systems and techniques for determining whether computer code contains impure functions that may leave underlying data vulnerable to known security risks.
Insurance companies and other data-driven businesses use various types of customer information to generate cost estimates and/or quotations for services. For example, an insurance company may gather a prospective customer's demographic information (name, age, residence, etc.) as well as additional information, and then perform an actuarial analysis of the prospective customer based on this information to generate cost estimates. In addition, when offering a new service or business product, an analysis of proprietary historical data may be performed.
In some instances, actuaries or employees of the business have a need to run calculations on large amounts of the businesses' proprietary data related to a particular business product, and such data may be stored in various internal databases. In one example, to accomplish such an analysis, an employee utilizing a programming language creates calculation instructions via a computer program. Generally, source code is specified or edited by the employee manually and/or with help of an integrated development environment (IDE) comprising numerous development services (e.g., editor, debugger, auto fill, intelligent assistance, etc.). The employee may choose to implement source code utilizing, for example, a functional programming language such as Clojure, Lisp, or the like. Subsequently, the source code may be compiled or otherwise transformed to facilitate execution by a computer or like device.
Unfortunately, the computer programs written by the businesses' employees may change the underlying proprietary data and/or may contain input/output (I/O) calls to functions outside the business product environment that have unintended side effects and/or data vulnerabilities. That is, the computer programs may contain one or more functions that rely on changing data and/or external input from I/O devices, and/or change the underlying proprietary data.
To alleviate the above concerns, the computer programs may be assessed using traditional static testing of the source code for programming patterns that could be vulnerable to security threats. However, typical security-analysis techniques are performed by comparing the functional programming language source code of the computer program against a hypothetical set of uniform security standards. Such security standards typically address finding security weaknesses and vulnerabilities in the application itself. In addition, the existing security-analysis techniques fail to adequately identify whether the source code may change the underlying businesses proprietary data and/or may contain input/output (I/O) calls to functions outside the business product environment that may leave the proprietary data vulnerable.